Ryan Radia focuses on adapting law and public policy to the unique challenges of the information age. His research areas include information privacy, telecommunications, competition policy, free speech, intellectual property, and media regulation.

Last week, California’s Supreme Court reached a controversial 5-2 decision holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to 4th Amendment to the Constitution.

California’s opinion in Diaz is the latest of several recent court rulings upholding warrantless searches of mobile phones incident to arrest. While this precedent is troubling for civil liberties, it’s not a death knell for mobile phone privacy. If you follow a few basic guidelines, you can protect your mobile device from unreasonable search and seizure, even in the event of arrest.

While the search incident to arrest exception gives police free rein to search and seize mobile phones found on arrestees’ persons, police generally cannot lawfully compel suspects to disclose or enter their mobile phone passwords. That’s because the Fifth Amendment’s protection against self-incrimination bars the government from compelling an individual to divulge any information or engage in any action considered to be “testimonial”—that is, predicated on potentially incriminating knowledge contained solely within the suspect’s mind.

As such, if you are arrested or detained by a law enforcement officer, you cannot lawfully be compelled to tell the officer anything other than your basic identifying information—even if the officer has not read you the Miranda warning. Exercising your right to remain silent cannot be held against you in a court of law, nor can it be used to establish probable cause for a search warrant.

While police cannot force you to disclose your mobile phone password, once they’ve lawfully taken the phone off your person, they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack). If police succeed in gaining access your mobile phone, they may make a copy of all information contained on the device for subsequent examination and analysis.

Alarmingly, in many cases, extracting data from a mobile device is possible even if the device password is not known. Such extraction techniques take advantage of widely known vulnerabilities that make it disturbingly simple to access data stored on a smartphone by merely plugging the device into a computer and running specialized forensics software. For instance, Android and iPhone devices are vulnerable to a range of exploits, some of which Ars documented in 2009.

Therefore, if you care about your privacy, password-protecting your smartphone should be a no-brainer. Better yet, you should ensure your smartphone supports a secure implementation of full-disk encryption. With this method of encryption, all user information is encrypted while the phone is at rest. While it isn’t absolutely foolproof, full-disk encryption is the most reliable and practical method for safeguarding your smartphone data from the prying eyes of law enforcement officers (and from wrongdoers, like the guy who walks off with your phone after you accidentally leave it in a bar.)

Unfortunately, few consumer-grade smartphones support full device encryption. While there are numerous smartphone apps available for encrypting particular types of files, such as emails (i.e. NitroDesk TouchDown), voice calls (i.e. RedPhone), and text messages (i.e. Cypher), these “selective” encryption tools offer insufficient protection unless you’re confident that no incriminating evidence exists anywhere on your smartphone outside of an encrypted container.

Despite the generally sorry state of mobile device security, a few options exist for privacy-conscious mobile phone owners. Research in Motion’s BlackBerry, when configured properly, is still widely considered to be the most secure smartphone platform. In fact, BlackBerry’s transport encryption is so robust that a few foreign governments have recently forced RIM to install backdoors for law enforcement purposes.

For information on the state of mobile phone security, see this excellent InfoWorld article in which Galen Gruman assesses each major mobile platform’s security strengths and weaknesses.

With the ascent of cloud computing, smartphones increasingly provide a window into our private lives, enabling us to access and store practically limitless amounts of sensitive personal data. As ultra-fast 4G wireless networks emerge, mobile devices will likely grow even more intertwined with our digital lives. Just as we have long stored our personal papers and effects in our desks or file cabinets at home, today we’re just as likely to store such information in digital format on cloud services like Windows Live or Google. Thus, the Fourth Amendment demands that mobile phones—a primary gateway to our lives in the cloud—be treated as an extension of the home, rather than mere physical containers analogous to cigarette packs.

California Deputy Attorney General Victoria Wilson, who argued Diaz for the state, has told reporters that the matter of warrantless cell phone searches is ripe for resolution by the US Supreme Court. If that happens, let’s hope the nation’s high court sides with common sense and reaffirms its 2001 ruling in Kyllo v. USthat the Fourth Amendment’s protections must adapt to safeguard our rights as technology evolves.

Reader Comments (1)

I have followed the hoary comment about being a liberal when young, a Republican in the middle years, and I'm now a conservative fast heading toward libertarian. Has anyone in government (including the judiciary) recently read the Constitution they are sworn to uphold?

Recently Twitter announced it was giving its entire archive of public Tweets to the Library of Congress. A public tweet is determined at the time a tweet was sent if the sender had engaged a software selection saying that their tweets were public or private. It is unclear whether this will be a continuing transfer of digital communications into the government's archives, ostensibly for future academic research.

GPS devices (including phones) can pinpoint your locations over time, photos taken with camera phones and digital cameras can embed date, time, and GPS location information into each photograph. Stalkers have been using this information from photos uploaded to photo sharing and social networking sites to locate individual's home and work locations. The LOC also has web archive project underway.

We saw in the 2008 election how supporters of Obama used digital information to issue threats and intimidation to conservative donors and others opposing the election of Obama. Enlarging the power to access private information and scrutinize and/or archive is to be resisted. Digitizing all our medical records into a government run database is a bridge too far.

Where are all the liberals now screaming about privacy issues and government intrusion? They screamed bloody murder when Bush wanted the NSA to capture telephonic and email communication between American locations and foreign locations tied to terrorist groups and activities. But this tidal wave of government intrusion against every single citizen in the nation doesn't warrant even a whimper from them. ACLU - HELLO! Anybody home? Or do they just go silent when it allows progressive power to expand?